Re: Opie and protecting passphrases

From: Andrey A. Chernov (ache@nagual.pp.ru)
Date: 08/05/01


Date: Mon, 6 Aug 2001 00:18:07 +0400
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Bill Fenner <fenner@research.att.com>

On Sun, Aug 05, 2001 at 11:58:03 -0700, Bill Fenner wrote:
>
> I'd like to enable opie's "INSECURE_OVERRIDE" by default in FreeBSD.

I too. We can add just opposite option for admins which don't trust any
remote connection. Since nowdays most machines are servers with even no
regular console access, remote OPIE usage should be preferred and default.

> My reasoning is that:
> a) opie uses heuristics, which can't always be right.

Moreover, this heuristics not covers many secure connection schemes like
SSH, SRA Telnet, Kerberos, etc. It means that current OPIE effectively
prevents user to use secure connection in regular way. F.e. if his
password count goes to zero, with current variant he must ask sysadmin
each time to change it since opiepasswd don't know anything about his
secure connection and refuses to run.

Even running OPIE on console currently have problems too, because you
can't use things like 'screen'.

> b) The heuristics can be fooled, so they are not a panacea even if they're
> usually right.

Yes. F.e. for opiekey -f restriction leads to re-compiled (-f enabled)
unofficial opiekey distribution from users community (since opiekey don't
use s-bit and protected files, it is just calculator).

> d) Other parts of the system, like ssh, make no attempt to protect the
> user from typing a passphrase over an insecure connection.

Moreover, previous SKEY library which OPIE tries to replace now have all
this things enabled, so we need to enable them for compatibility reasons
too.

I want to add a word about /etc/opieaccess too which is replacement for
former /etc/skey.access and contains trusted network numbers. This file
parsing must be enabled (compiled in) by default too for compatiility
reasons and various purposes like FTP tunneling via SSH (on single machine
without any trusted networks).

-- 
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: More on caching and logging
    ... Please point to a citation of where, exactly, Apple said any such thing. ... PPC machines are still the majority of Macs, ... By the end of the first year I had that machine, ... single-button, and the connection was still proprietary, but the ADB ...
    (comp.sys.mac.system)
  • Re: Aborted/dead network connections and other oddities
    ... Once this was done operation of the FTP server returned to ... and seemingly locking out machines. ... > or 30) and then the connection will abort. ...
    (comp.os.linux.networking)
  • Re: More Peer 2 Peer Troubles
    ... Only the Host has been connected to the internet, ... all machines, not just the host. ... Have you enabled ICS on the host's Bigpond connection? ...
    (microsoft.public.windowsxp.network_web)
  • Re: DSL Upgrade
    ... Discussions so far appear to be centered around hubs but since true hubs are just a means of connecting various machines on a LAN with no nat abilities they will not work in this case without the public id's mentioned. ... A router, Linksys BEFSR11, 1 port in and 1 out to your cable/dsl modem, or BEFSR41 with 4 ports, for your LAN computers, and 1 port out to your cable/dsl modem which will allow connection to 4 machines. ... If you connect 1 port for a LAN machine to a larger switch or hub more machines can be handled. ...
    (microsoft.public.win2000.networking)
  • Re: Terminal release ip command?
    ... I envy your IP connection. ... Apart from networking between the two machines right:-) ... DHCP addresses are on different netblocks so you need to keep ... One nice thing about my ISP is they give two dynamic IP addresses to ...
    (comp.sys.mac.system)